Domain 1.Architect for Governance, Compliance and Risk Management |
17% |
Determining legal, regulatory, organizational, and industry requirements by identifying applicable information security standards and guidelines, recognizing third-party and contractual obligations such as those in supply chains and partnerships, and understanding sensitive data standards and privacy regulations. Additionally, it includes designing systems for auditability to meet regulatory and legislative requirements, and coordinating with external entities like law enforcement and independent assessors. In managing risk, the focus is on identifying and classifying risks, conducting risk assessments, recommending appropriate risk treatment strategies such as mitigation or transfer, and monitoring and reporting on risks effectively. |
Domain 2: Security Architecture Modeling |
15% |
Determine the security architecture approach, which involves identifying various types and scopes such as enterprise, network, Service-Oriented Architecture (SOA), cloud, Internet of Things (IoT), and Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA). This also includes understanding frameworks like Sherwood Applied Business Security Architecture (SABSA) and Service-Oriented Modeling Framework (SOMF), as well as reference architectures and blueprints. Moreover, it entails configuring security settings such as baselines, benchmarks, and profiles, along with network configurations covering physical, logical, high availability, segmentation, and zones. The subsequent step is to verify and validate the design, which involves conducting Functional Acceptance Testing (FAT) and regression testing, validating results of threat modeling including threat vectors, impact, and probability, identifying any gaps or alternative solutions, and performing Independent Verification and Validation (IV&V) through tabletop exercises, modeling and simulation, and manual review of functions. |
Domain 3: Infrastructure Security Architecture |
21% |
Developing infrastructure security requirements involves creating specifications for securing the foundational components of a system. Designing defense-in-depth architecture entails structuring multiple layers of security measures to protect against various threats. Securing shared services, such as wireless, email, Voice over Internet Protocol (VoIP), Unified Communications (UC), Domain Name System (DNS), and Network Time Protocol (NTP), involves implementing protective measures for these commonly used services. Integrating technical security controls involves combining different security mechanisms to enhance overall protection. Designing and integrating infrastructure monitoring involves creating systems to observe and manage the security of the infrastructure components effectively. |
Identity and Access Management (IAM) Architecture |
16% |
In designing identity management and lifecycle, access control management and lifecycle, and identity and access solutions, several key elements need to be considered. This includes establishing and verifying identity, assigning identifiers to users, services, processes, and devices, and managing identity provisioning and de-provisioning. Additionally, trust relationships, authentication methods, and authentication protocols and technologies need to be defined. Access control concepts and principles, access control configurations, and authorization processes and workflows are crucial aspects to address. Furthermore, roles, rights, and responsibilities related to system, application, and data access control, as well as management of privileged accounts and authorization methods such as Single Sign-On (SSO) and role-based access, must be carefully managed and integrated into the design.
|
Domain 5: Architect for Application Security |
13% |
Integrating the Software Development Life Cycle (SDLC) with application security architecture involves various considerations to ensure the robustness of software systems. This includes assessing code review methodologies, determining the need for application protection such as Web Application Firewall (WAF) and secure APIs, and specifying encryption requirements for data at rest, in transit, and use. Additionally, it entails evaluating the necessity of secure communications between applications and databases or other endpoints and utilizing secure code repositories. Determining application security capability requirements and strategy involves reviewing the security of various types of applications, determining cryptographic solutions, and evaluating the applicability of security controls for system components like mobile and web client applications, as well as proxy, application, and database services, across different environments including open source and Cloud Service Providers (CSPs).
|
Domain 6: Security Operations Architecture |
18% |
In gathering security operations requirements, various factors such as legal, compliance, organizational, and business needs need to be considered to ensure effective security measures. When designing information security monitoring, which may involve Security Information and Event Management (SIEM), insider threat detection, threat intelligence, user behavior analytics, and Incident Response (IR) procedures, attention is given to detection and analysis processes. Additionally, proactive and automated security monitoring and remediation methods such as vulnerability management, compliance audits, and penetration testing are implemented to enhance security measures. |
Official Information |
|
https://www.isc2.org/Certifications/CISSP-Concentrations#tab-2-1 |